Configure database encryption on Grafana Labs

Encrypt database secrets using Google Cloud KMS

Fri, 03 Apr 2026 19:43:06 +0000

Encrypt database secrets using Google Cloud KMS

You can use an encryption key from Google Cloud Key Management Service to encrypt secrets in the Grafana database.

Prerequisites:

A Google Cloud account with permission to list and create KMS keys and service accounts to access those keys
Access to the Grafana configuration file

Create a key ring in Google Cloud KMS.
Create a symmetric encryption key in the key ring.
Create a service account and assign it a role: it can be a predefined role or custom role with permissions to encrypt and decrypt secrets with Key Management Service.
Create a service account key and save its JSON file to you computer, for example, as ~/.config/gcloud/sample-project-credentials.json.
From within Grafana, turn on envelope encryption.
Add your Google Cloud KMS details to the Grafana configuration file; depending on your operating system, is usually named grafana.ini:

a. Add a new section to the configuration file, with a name in the format of [security.encryption.azurekv.<KEY-NAME>], where <KEY-NAME> is any name that uniquely identifies this key among other provider keys.

b. Fill in the section with the following values:
- key_id: encryption key ID, refer to Getting the ID for a Key.
- credentials_file: full path to service account key JSON file on your computer.
An example of a Google Cloud KMS provider section in the grafana.ini file is as follows:
```
# Example of Google Cloud KMS provider setup
;[security.encryption.googlekms.example-encryption-key]
# Google Cloud KMS key ID
key_id = 1234abcd-12ab-34cd-56ef-1234567890ab
# Full path to a JSON file with a service account key
credentials_file = ~/.config/gcloud/sample-project-credentials.json
```

Update the [security] section of the grafana.ini configuration file with the new Encryption Provider key that you created:

[security]
# previous encryption key, used for legacy alerts, decrypting existing secrets or used as default provider when external providers are not configured
secret_key = AaaaAaaa
# encryption provider key in the format <PROVIDER>.<KEY-NAME>
encryption_provider = googlekms.example-encryption-key
# list of configured key providers, space separated
available_encryption_providers = googlekms.example-encryption-key

Restart Grafana.
(Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

grafana cli admin secrets-migration re-encrypt

If you do not re-encrypt existing secrets, then they will remain encrypted by the previous encryption key. Users will still be able to access them.

> Note: This process could take a few minutes to complete, depending on the number of secrets (such as data sources) in your database. Users might experience errors while this process is running, and alert notifications might not be sent.

> Note: If you are updating this encryption key during the initial setup of Grafana before any data sources or dashboards have been created, then this step is not necessary because there are no secrets in Grafana to migrate.

Encrypt database secrets using Hashicorp Vault

Fri, 03 Apr 2026 19:43:06 +0000

Encrypt database secrets using Hashicorp Vault

You can use an encryption key from Hashicorp Vault to encrypt secrets in the Grafana database.

Prerequisites:

Permissions to manage Hashicorp Vault to enable secrets engines and issue tokens.
Access to the Grafana configuration file

Enable the transit secrets engine in Hashicorp Vault.
Create a named encryption key.
Create a periodic service token.
From within Grafana, turn on envelope encryption.
Add your Hashicorp Vault details to the Grafana configuration file; depending on your operating system, is usually named grafana.ini:

a. Add a new section to the configuration file, with a name in the format of [security.encryption.hashicorpvault.<KEY-NAME>], where <KEY-NAME> is any name that uniquely identifies this key among other provider keys.

b. Fill in the section with the following values:
- token: a periodic service token used to authenticate within Hashicorp Vault.
- url: URL of the Hashicorp Vault server.
- transit_engine_path: mount point of the transit engine.
- key_ring: name of the encryption key.
- token_renewal_interval: specifies how often to renew token; should be less than the period value of a periodic service token.
An example of a Hashicorp Vault provider section in the grafana.ini file is as follows:
```
# Example of Hashicorp Vault provider setup
;[security.encryption.hashicorpvault.example-encryption-key]
# Token used to authenticate within Vault. We suggest to use periodic tokens: more on token types https://www.vaultproject.io/docs/concepts/tokens#service-tokens
;token =
# Location of the Hashicorp Vault server
;url = http://localhost:8200
# Mount point of the transit secret engine
;transit_engine_path = transit
# Key ring name
;key_ring = grafana-encryption-key
# Specifies how often to check if a token needs to be renewed, should be less than a token's period value
token_renewal_interval = 5m
```

Update the [security] section of the grafana.ini configuration file with the new Encryption Provider key that you created:

[security]
# previous encryption key, used for legacy alerts, decrypting existing secrets or used as default provider when external providers are not configured
secret_key = AaaaAaaa
# encryption provider key in the format <PROVIDER>.<KEY-NAME>
encryption_provider = hashicorpvault.example-encryption-key
# list of configured key providers, space separated
available_encryption_providers = hashicorpvault.example-encryption-key

Restart Grafana.
(Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

grafana cli admin secrets-migration re-encrypt

If you do not re-encrypt existing secrets, then they will remain encrypted by the previous encryption key. Users will still be able to access them.

> Note: This process could take a few minutes to complete, depending on the number of secrets (such as data sources) in your database. Users might experience errors while this process is running, and alert notifications might not be sent.

> Note: If you are updating this encryption key during the initial setup of Grafana before any data sources or dashboards have been created, then this step is not necessary because there are no secrets in Grafana to migrate.

Encrypt database secrets using AWS KMS

Fri, 03 Apr 2026 19:43:06 +0000

Encrypt database secrets using AWS KMS

You can use an encryption key from AWS Key Management Service to encrypt secrets in the Grafana database.

Prerequisites:

An AWS account with permission to view and create KMS keys and programmatic credentials to access those keys
Access to the Grafana configuration file

Create a symmetric API key either from the AWS Management Console or by using the AWS KMS API.

For detailed instructions, refer to Creating keys.
Retrieve the Key ID.

In AWS terms, this can be a key ID, a key ARN (Amazon Resource Name), an alias name, or an alias ARN. For more information about how to retrieve a key ID from AWS, refer to Finding the key ID and key ARN.
Create a programmatic credential (access key ID and secret access key), which has permission to view the key that you created.

In AWS, you can control access to your KMS keys by using key policies, IAM policies, and grants. You can also create temporary credentials, which must provide a session token along with an access key ID and a secret access key.
From within Grafana, turn on envelope encryption.

Add your AWS KMS details to the Grafana configuration file; depending on your operating system, it is usually named grafana.ini:

a. Add a new section to the configuration file, with a name in the format of [security.encryption.awskms.<KEY-NAME>], where <KEY-NAME> is any name that uniquely identifies this key among other provider keys.

b. Fill in the section with the following values:

key_id: a reference to a key stored in the KMS. This can be a key ID, a key Amazon Resource Name (ARN), an alias name, or an alias ARN. If you are using an alias, use the prefix alias/. To specify a KMS key in a different AWS account, use its ARN or alias. For more information about how to retrieve a key ID from AWS, refer to Finding the key ID and key ARN.

`key_id` option	Example value
Key ID	`1234abcd-12ab-34cd-56ef-1234567890ab`
Key ARN	`arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
Alias name	`alias/ExampleAlias`
Alias ARN	`arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`

access_key_id: The AWS Access Key ID that you previously generated.
secret_access_key: The AWS Secret Access Key you previously generated.
region: The AWS region where you created the KMS key. The region is contained in the key’s ARN. For example: arn:aws:kms:*us-east-2*:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

An example of an AWS KMS provider section in the grafana.ini file is as follows:

# AWS key management service provider setup
;[security.encryption.awskms.example-encryption-key]
# Reference to a KMS key - either key ID, key ARN, alias name, or ARN
;key_id = 1234abcd-12ab-34cd-56ef-1234567890ab
# AWS access key ID
;access_key_id = AKIAIOSFODNN7EXAMPLE
# AWS secret access key
;secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# AWS region, for example eu-north-1
;region = eu-north-1

Update the [security] section of the grafana.ini configuration file with the new Encryption Provider key that you created:

[security]
# previous encryption key, used for legacy alerts, decrypting existing secrets or used as default provider when external providers are not configured
secret_key = AaaaAaaa
# encryption provider key in the format <PROVIDER>.<KEY_NAME>
encryption_provider = awskms.example-encryption-key
# list of configured key providers, space separated
available_encryption_providers = awskms.example-encryption-key

Restart Grafana.
(Optional) From the command line and the root directory of Grafana, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

grafana cli admin secrets-migration re-encrypt

If you do not re-encrypt existing secrets, then they will remain encrypted by the previous encryption key. Users will still be able to access them.

> Note: This process could take a few minutes to complete, depending on the number of secrets (such as data sources) in your database. Users might experience errors while this process is running, and alert notifications might not be sent.

> Note: If you are updating this encryption key during the initial setup of Grafana before any data sources or dashboards have been created, then this step is not necessary because there are no secrets in Grafana to migrate.

Encrypt database secrets using Azure Key Vault

Fri, 03 Apr 2026 19:43:06 +0000

Encrypt database secrets using Azure Key Vault

You can use an encryption key from Azure Key Vault to encrypt secrets in the Grafana database.

Prerequisites:

An Azure account with permission to view and create Key Vault keys and programmatic credentials to access those keys
Access to the Grafana configuration file

Create a vault.
Create a key in the Key Vault with the name that you want by using RSA as the type and 2048 as the size with encrypt and decrypt permissions.
Register an application and generate a client secret for it.
Assign a Key Vault access policy for the key vault that you created:
In the Key Permissions section, set encrypt and decrypt permissions, and click Save.
From within Grafana, turn on envelope encryption.
Add your Azure Key Vault details to the Grafana configuration file; depending on your operating system, is usually named grafana.ini:

a. Add a new section to the configuration file, with a name in the format of [security.encryption.azurekv.<KEY-NAME>], where <KEY-NAME> is any name that uniquely identifies this key among other provider keys.

b. Fill in the section with the following values:
- tenant_id: the Directory ID (tenant) from the application that you registered.
- client_id: the Application ID (client) from the application that you registered.
- client_secret: the VALUE of the secret that you generated in your app. (Don’t use the Secret ID).
- key_id: the key name that you created in the key vault.
- vault_uri: the URL of your key vault.
An example of an Azure Key Vault provider section in the grafana.ini file is as follows:
```
# Azure Key Vault provider setup
;[security.encryption.azurekv.example-encryption-key]
# Azure Application directory ID (tenant)
tenant_id = 1234abcd-12ab-34cd-56ef-1234567890ab
# Azure Application application ID (client).
client_id = 1356dfgh-12ab-34cd-56ef-3322114455cc
# Azure Application client secret.
client_secret = FbE4X~4Jq45ERKxx823Aheb9plBjQqHHe81Sc
# Azure Key Vault key name.
key_id = mysecretkey
# Azure Key Vault uri.
vault_uri = https://my-vault-name.vault.azure.net
```

Update the [security] section of the grafana.ini configuration file with the new Encryption Provider key that you created:

[security]
# previous encryption key, used for legacy alerts, decrypting existing secrets or used as default provider when external providers are not configured
secret_key = AaaaAaaa
# encryption provider key in the format <PROVIDER>.<KEY-NAME>
encryption_provider = azurekv.example-encryption-key
# list of configured key providers, space separated
available_encryption_providers =  azurekv.example-encryption-key

Restart Grafana.
(Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

grafana cli admin secrets-migration re-encrypt

If you do not re-encrypt existing secrets, then they will remain encrypted by the previous encryption key. Users will still be able to access them.

> Note: This process could take a few minutes to complete, depending on the number of secrets (such as data sources) in your database. Users might experience errors while this process is running, and alert notifications might not be sent.

> Note: If you are updating this encryption key during the initial setup of Grafana before any data sources or dashboards have been created, then this step is not necessary because there are no secrets in Grafana to migrate.

Integrate Grafana with Hashicorp Vault

Fri, 03 Apr 2026 19:43:06 +0000

Integrate Grafana with Hashicorp Vault

If you manage your secrets with Hashicorp Vault, you can use them for Configuration and Provisioning.

Note
Available in Grafana Enterprise.

Note
If you have Grafana set up for high availability, then we advise not to use dynamic secrets for provisioning files. Each Grafana instance is responsible for renewing its own leases. Your data source leases might expire when one of your Grafana servers shuts down.

Configuration

Before using Vault, you need to activate it by providing a URL, authentication method (currently only token), and a token for your Vault service. Grafana automatically renews the service token if it is renewable and set up with a limited lifetime.

If you’re using short-lived leases, then you can also configure how often Grafana should renew the lease and for how long. We recommend keeping the defaults unless you run into problems.

[keystore.vault]
# Location of the Vault server
;url =
# Vault namespace if using Vault with multi-tenancy
;namespace =
# Method for authenticating towards Vault. Vault is inactive if this option is not set
# Possible values: token
;auth_method =
# Secret token to connect to Vault when auth_method is token
;token =
# Time between checking if there are any secrets which needs to be renewed.
;lease_renewal_interval = 5m
# Time until expiration for tokens which are renewed. Should have a value higher than lease_renewal_interval
;lease_renewal_expires_within = 15m
# New duration for renewed tokens. Vault may be configured to ignore this value and impose a stricter limit.
;lease_renewal_increment = 1h

Example for vault server -dev:

[keystore.vault]
url = http://127.0.0.1:8200 # HTTP should only be used for local testing
auth_method = token
token = s.sAZLyI0r7sFLMPq6MWtoOhAN # replace with your key

Using the Vault expander

After you configure Vault, you must set the configuration or provisioning files you wish to use Vault. Vault configuration is an extension of configuration’s variable expansion and follows the $__vault{<argument>} syntax.

The argument to Vault consists of three parts separated by a colon:

The first part specifies which secrets engine should be used.
The second part specifies which secret should be accessed.
The third part specifies which field of that secret should be used.

For example, if you place a Key/Value secret for the Grafana admin user in secret/grafana/admin_defaults the syntax for accessing its password field would be $__vault{kv:secret/grafana/admin_defaults:password}.

Secrets engines

Vault supports many secrets engines which represents different methods for storing or generating secrets when requested by an authorized user. Grafana supports a subset of these which are most likely to be relevant for a Grafana installation.

Key/Value

Grafana supports Vault’s K/V version 2 storage engine which is used to store and retrieve arbitrary secrets as kv.

$__vault{kv:secret/grafana/smtp:username}

Databases

The Vault databases secrets engines is a family of secret engines which shares a similar syntax and grants the user dynamic access to a database. You can use this both for setting up Grafana’s own database access and for provisioning data sources.

$__vault{database:database/creds/grafana:username}

Examples

The following examples show you how to set your configuration or provisioning files to use Vault to retrieve configuration values.

Configuration

The following is a partial example for using Vault to set up a Grafana configuration file’s email and database credentials. Refer to Configuration for more information.

[smtp]
enabled = true
host = $__vault{kv:secret/grafana/smtp:hostname}:587
user = $__vault{kv:secret/grafana/smtp:username}
password = $__vault{kv:secret/grafana/smtp:password}

[database]
type = mysql
host = mysqlhost:3306
name = grafana
user = $__vault{database:database/creds/grafana:username}
password = $__vault{database:database/creds/grafana:password}

Provisioning

The following is a full examples of a provisioning YAML file setting up a MySQL data source using Vault’s database secrets engine. Refer to Provisioning for more information.

provisioning/custom.yaml

apiVersion: 1

datasources:
  - name: statistics
    type: mysql
    url: localhost:3306
    database: stats
    user: $__vault{database:database/creds/ro/stats:username}
    secureJsonData:
      password: $__vault{database:database/creds/ro/stats:password}